Merge pull request #188637 from MicrosoftDocs/main

2/15 AM Publish

Author: huypub

articles/active-directory/authentication/concept-certificate-based-authentication-technical-deep-dive.md

@@ -6,12 +6,12 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: how-to
-ms.date: 02/09/2022
+ms.date: 02/15/2022
 
 ms.author: justinha
 author: vimrang
 manager: daveba
-ms.reviewer: tommma
+ms.reviewer: vimrang
 
 ms.collection: M365-identity-device-management
 ms.custom: has-adal-ref
@@ -49,7 +49,9 @@ Let's cover each step:
 
    :::image type="content" border="true" source="./media/concept-certificate-based-authentication-technical-deep-dive/sign-in-alt.png" alt-text="Screenshot of the Sign-in if FIDO2 is also enabled.":::
 
-1. After the user clicks the link, the client is redirected to the certauth endpoint [http://certauth.login.microsoftonline.com](http://certauth.login.microsoftonline.com). The endpoint performs mutual authentication and requests the client certificate as part of the TLS handshake. You will see an entry for this request in the Sign-in logs. There is a [known issue](#known-issues) where User ID is displayed instead of Username.
+1. After the user clicks the link, the client is redirected to the certauth endpoint, which is [http://certauth.login.microsoftonline.com](http://certauth.login.microsoftonline.com) for Azure Global. For [Azure Government](/azure-government/compare-azure-government-global-azure.md#guidance-for-developers), the certauth endpoint is [http://certauth.login.microsoftonline.us](http://certauth.login.microsoftonline.us). For the correct endpoint for other environments, see the specific Microsoft cloud docs. 
+
+   The endpoint performs mutual authentication and requests the client certificate as part of the TLS handshake. You will see an entry for this request in the Sign-in logs. There is a [known issue](#known-issues) where User ID is displayed instead of Username.
 
    :::image type="content" border="true" source="./media/concept-certificate-based-authentication-technical-deep-dive/sign-in-log.png" alt-text="Screenshot of the Sign-in log in Azure AD." lightbox="./media/concept-certificate-based-authentication-technical-deep-dive/sign-in-log.png":::
 

articles/active-directory/reports-monitoring/media/workbook-cross-tenant-access-activity/cross-tenant-workbook-step-1.png

@@ -12,7 +12,7 @@ ms.service: active-directory
 ms.topic: reference
 ms.workload: identity
 ms.subservice: report-monitor
-ms.date: 02/04/2022
+ms.date: 02/14/2022
 ms.author: mimart
 
 ms.collection: M365-identity-device-management
@@ -45,7 +45,23 @@ This workbook has four sections:
 
 - Individual users for inbound and outbound collaboration by tenant ID
 
-![Screenshot showing list of external tenants with sign-in data](./media/workbook-cross-tenant-access-activity/external-tenants-list.png)
+The total number of external tenants that have had cross-tenant access activity with your tenant is shown at the top of the workbook. 
+
+Under **Step 1**, the external tenant list shows all the tenants that have had inbound or outbound activity with your tenant. When you select an external tenant in the table, the remaining sections update with information about outbound and inbound activity for that tenant.
+
+[ ![Screenshot showing list of external tenants with sign-in data.](./media/workbook-cross-tenant-access-activity/cross-tenant-workbook-step-1.png) ](./media/workbook-cross-tenant-access-activity/cross-tenant-workbook-step-1.png#lightbox)
+
+The table under **Step 2** summarizes all outbound and inbound sign-in activity for the selected tenant, including the number of successful sign-ins and the resons for failed sign-ins. You can select **Outbound activity** or **Inbound activity** to update the remaining sections of the workbook with the type of activity you want to view.
+
+![Screenshot showing activity for the selected tenant.](./media/workbook-cross-tenant-access-activity/cross-tenant-workbook-step-2.png)
+
+Under **Step 3**, the table lists the applications that are being accessed across tenants. If you selected **Outbound activity** in the previous section, the table shows the applications in external tenants that are being accessed by your users. If you selected **Inbound activity**, you'll see the list of your applications that are being accessed by external users. You can select a row to find out which users are accessing that application.
+
+![Screenshot showing application activity for the selected tenant.](./media/workbook-cross-tenant-access-activity/cross-tenant-workbook-step-3.png)
+
+The table in **Step 4** displays the list of users who are accessing the application you selected.
+
+![Screenshot showing users accessing an app.](./media/workbook-cross-tenant-access-activity/cross-tenant-workbook-step-4.png)
 
 ## Filters
 

articles/active-directory/reports-monitoring/media/workbook-cross-tenant-access-activity/cross-tenant-workbook-step-2.png

@@ -51,7 +51,7 @@ This setting controls the directory where iisnode logs stdout/stderr. The defaul
 
 ### debuggerExtensionDll
 
-This setting controls what version of node-inspector iisnode uses when debugging your node application. Currently, iisnode-inspector-0.7.3.dll and iisnode-inspector.dll are the only two valid values for this setting. The default value is iisnode-inspector-0.7.3.dll. The iisnode-inspector-0.7.3.dll version uses node-inspector-0.7.3 and uses web sockets. Enable web sockets on your Azure webapp to use this version. See <https://ranjithblogs.azurewebsites.net/?p=98> for more details on how to configure iisnode to use the new node-inspector.
+This setting controls what version of node-inspector iisnode uses when debugging your node application. Currently, iisnode-inspector-0.7.3.dll and iisnode-inspector.dll are the only two valid values for this setting. The default value is iisnode-inspector-0.7.3.dll. The iisnode-inspector-0.7.3.dll version uses node-inspector-0.7.3 and uses web sockets. Enable web sockets on your Azure webapp to use this version. 
 
 ### flushResponse
 

articles/active-directory/reports-monitoring/media/workbook-cross-tenant-access-activity/cross-tenant-workbook-step-3.png

@@ -1,5 +1,5 @@
 ---
-title: 'Quickstart: Deploy a Python web app to Azure App Service'
+title: 'Quickstart: Deploy a Python (Django or Flask) web app to Azure'
 description: Get started with Azure App Service by deploying your first Python app to Azure App Service.
 ms.topic: quickstart
 ms.date: 01/28/2022
@@ -101,7 +101,7 @@ Having issues? [Let us know](https://aka.ms/PythonAppServiceQuickstartFeedback).
 
 ## 2 - Create a web app in Azure
 
-To host your application in Azure, you need to create Azure App Service web app in Azure. You can create a web app using the [Azure portal](https://portal.azure.com/), VS Code using the [Azure Tools extension pack](https://marketplace.visualstudio.com/items?itemName=ms-vscode.vscode-node-azure-pack), or the Azure CLI.
+To host your application in Azure, you need to create Azure App Service web app in Azure. You can create a web app using the [Azure portal](https://portal.azure.com/), [VS Code](https://code.visualstudio.com/) using the [Azure Tools extension pack](https://marketplace.visualstudio.com/items?itemName=ms-vscode.vscode-node-azure-pack), or the Azure CLI.
 
 ### [Azure portal](#tab/azure-portal)
 

articles/active-directory/reports-monitoring/media/workbook-cross-tenant-access-activity/cross-tenant-workbook-step-4.png

@@ -85,7 +85,7 @@ Review your new Automation account.
 
 :::image type="content" source="./media/automation-create-standalone-account/automation-account-overview.png" alt-text="Automation account overview page":::
 
-When the Automation account is successfully created, several resources are automatically created for you. After creation, these runbooks can be safely deleted if you do not wish to keep them. The managed identities can be used to authenticate to your account in a runbook, and should be left unless you create another one or do not require them. The following table summarizes resources for the account.
+When the Automation account is successfully created, several resources are automatically created for you. After creation, these runbooks can be safely deleted if you do not wish to keep them. The managed identities can be used to authenticate to your account in a runbook, and should be left unless you create another one or do not require them. The Automation access keys are also created during Automation account creation. The following table summarizes resources for the account.
 
 |Resource |Description |
 |------||------|
@@ -96,6 +96,48 @@ When the Automation account is successfully created, several resources are autom
 > [!NOTE]
 > The tutorial runbooks have not been updated to authenticate using a managed identity. Review the [Using system-assigned identity](enable-managed-identity-for-automation.md#assign-role-to-a-system-assigned-managed-identity) or [Using user-assigned identity](add-user-assigned-identity.md#assign-a-role-to-a-user-assigned-managed-identity) to learn how to grant the managed identity access to resources and configure your runbooks to authenticate using either type of managed identity.
 
+## Manage Automation account keys
+
+When you create an Automation account, Azure generates two 512-bit automation account access keys for that account. These keys are shared access keys that are used as registration keys for registering [DSC nodes](/azure/automation/automation-dsc-onboarding#use-dsc-metaconfiguration-to-register-hybrid-machines) as well as [Windows](/azure/automation/automation-windows-hrw-install#manual-deployment) and [Linux](/azure/automation/automation-linux-hrw-install#manually-run-powershell-commands) Hybrid runbook workers. These keys are only used while registering DSC nodes and Hybrid workers. Existing machines configured as DSC nodes or hybrid workers won’t be affected after rotation of these keys. 
+
+### View Automation account keys
+
+To view and copy your Automation account access keys, follow these steps:
+1. In the [Azure portal](https://portal.azure.com/), go to your Automation account.
+1. Under **Account Settings**, select **Keys** to view your Automation account's primary and secondary access keys. 
+You can use any of the two keys to access your Automation account. However, we recommend that you use the first key and reserve the use of second key.
+
+   :::image type="content" source="./media/automation-create-standalone-account/automation-demo-keys-inline.png" alt-text="Automation Keys page" lightbox="./media/automation-create-standalone-account/automation-demo-keys-expanded.png" :::
+
+### Manually rotate access keys
+
+We recommend that you rotate your access keys periodically to keep the Automation account secure. As you have two access keys, you can rotate them using Azure portal or Azure PowerShell cmdlet.
+
+Choose a client
+
+# [Azure portal](#tab/azureportal)
+
+Follow these steps:
+1. Go to your Automation account in [Azure portal](https://portal.azure.com/).
+1. Under **Account Settings**, select **Keys**.
+1. Select **Regenerate primary** to regenerate the primary access key for your Automation account.
+1. Select the **Regenerate secondary** to regenerate the secondary access key.
+  :::image type="content" source="./media/automation-create-standalone-account/regenerate-keys.png" alt-text="Regenerate keys":::
+  
+# [Azure PowerShell](#tab/azurepowershell)
+
+Run the [New-AzAutomationKey](/powershell/module/az.automation/new-azautomationkey) command to regenerate the primary access key, as shown in the following example: 
+
+  ```azurepowershell
+  New-AzAutomationKey -KeyType Primary -ResourceGroup <ResourceGroup> -AutomationAccountName <AutomationAccount>
+  ```
+ ---
+
+### View registration URL
+The DSC node registers with the State Configuration service using the registration URL and authenticates using a registration access key along with the Automation Account access keys.
+
+:::image type="content" source="./media/automation-create-standalone-account/automation-demo-keys-url-inline.png" alt-text="Screenshot of Automation Keys and URL" lightbox="./media/automation-create-standalone-account/automation-demo-keys-url-expanded.png" :::
+
 ## Next steps
 
 * To get started with PowerShell runbooks, see [Tutorial: Create a PowerShell runbook](./learn/powershell-runbook-managed-identity.md).